diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico
index 68467671..2789ee07 100644
--- a/apparmor.d/groups/virt/cni-calico
+++ b/apparmor.d/groups/virt/cni-calico
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /opt/cni/bin/calico
+@{exec_path} = /{usr/,}lib/cni/calico /opt/cni/bin/calico
 profile cni-calico @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/virt/cni-flannel b/apparmor.d/groups/virt/cni-flannel
new file mode 100644
index 00000000..1c21c261
--- /dev/null
+++ b/apparmor.d/groups/virt/cni-flannel
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/cni/flannel /opt/cni/bin/flannel
+profile cni-flannel @{exec_path} flags=(complain,attach_disconnected){
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+  include if exists <local/cni-flannel>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/virt/cni-host-local b/apparmor.d/groups/virt/cni-host-local
new file mode 100644
index 00000000..9ca86fb5
--- /dev/null
+++ b/apparmor.d/groups/virt/cni-host-local
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/cni/host-local /opt/cni/bin/host-local
+profile cni-host-local @{exec_path} flags=(complain,attach_disconnected){
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+  include if exists <local/cni-host-local>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/virt/cni-xtables-nft b/apparmor.d/groups/virt/cni-xtables-nft
index e6a24a41..465b6d11 100644
--- a/apparmor.d/groups/virt/cni-xtables-nft
+++ b/apparmor.d/groups/virt/cni-xtables-nft
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}{s,}bin/xtables-nft-multi
 profile cni-xtables-nft {
     include <abstractions/base>
+    include <abstractions/consoles>
     include <abstractions/nameservice-strict>
 
     capability net_admin,
@@ -30,6 +31,4 @@ profile cni-xtables-nft {
     /etc/nftables.conf rw,
 
     @{PROC}/@{pids}/net/ip_tables_names r,
-
-    /dev/pts/[0-9]* rw,
 }
diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd
index c700d8ef..d3e3325c 100644
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@@ -36,6 +36,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
 
   umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
   umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
+  umount /tmp/ctd-volume[0-9]*/,
   umount @{run}/netns/cni-@{uuid},
 
   signal (receive) set=term peer={dockerd,k3s},
@@ -84,7 +85,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   owner /var/tmp/** rwkl,
   owner /tmp/** rwkl,
         /tmp/cri-containerd.apparmor.d[0-9]* rwl,
-        /tmp/ctd-volume[0-9]*/ rw,
+        /tmp/ctd-volume[0-9]*/{data,} rw,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
   @{sys}/kernel/security/apparmor/profiles r,